Security modes for a component-based web security model

ABSTRACT

Disclosed are examples of systems, apparatus, methods and computer program products for providing a security model for component-based web applications. Documents for a web-based application are received, with the application containing custom components and Application Programming Interface (API) components. A Document Object Model (DOM) is processed corresponding to the web-based application, with the components modeled in hierarchical form. Each API component is assigned to a system mode setting, where the system mode setting is configured to provide the API component access to all of the components in the application. One or more secure documents are generated for each custom component, with each secure document containing a key in accordance with the rules of capability security. Each custom component is then assigned to a user mode setting, where the user mode setting is configured to provide custom components access to other components in the application for which a key can be provided.

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure as it appears in the United States Patent andTrademark Office patent file or records but otherwise reserves allcopyright rights whatsoever.

TECHNICAL FIELD

This patent document generally relates to web security, and morespecifically to providing security modes for a component-based websecurity model.

BACKGROUND

“Cloud computing” services provide shared resources, applications, andinformation to computers and other devices upon request. In cloudcomputing environments, services can be provided by one or more serversaccessible over the Internet rather than installing software locally onin-house computer systems. As such, users having a variety of roles caninteract with cloud computing services.

BRIEF DESCRIPTION OF THE DRAWINGS

The included drawings are for illustrative purposes and serve only toprovide examples of possible structures and operations for the disclosedinventive systems, apparatus, methods and computer program products forproviding security modes for a component-based web security model. Thesedrawings in no way limit any changes in form and detail that may be madeby one skilled in the art without departing from the spirit and scope ofthe disclosed implementations.

FIG. 1 shows a system diagram of an example of a system 100 forproviding a security model for component-based web applications, inaccordance with some implementations.

FIG. 2 shows a flowchart of an example of a method 200 for providing asecurity model for component-based web applications, performed inaccordance with some implementations.

FIG. 3 shows a flowchart of an example of a method 300 for providingsecurity modes for a component-based web security model, performed inaccordance with some implementations.

FIG. 4 shows an example of a component-based web application, inaccordance with some implementations.

FIG. 5A is an example of a Document Object Model (“DOM”) representing acomponent-based web application in a traditional security model, inaccordance with some implementations.

FIG. 5B is an example of a DOM in a traditional security model withJavaScript functions being called, in accordance with someimplementations.

FIG. 5C is an example of the included components within a webapplication under the traditional security model, in accordance withsome implementations.

FIG. 6A is an example of DOMs for encapsulated components in a webapplication under a component-based security model, in accordance withsome implementations.

FIG. 6B is an example of a virtual DOM for a custom component under acomponent-based security model, in accordance with some implementations.

FIG. 6C is an example of a virtual DOM for a custom component under acomponent-based security model, in accordance with some implementations.

FIG. 7A shows a block diagram of an example of an environment 10 inwhich an on-demand database service can be used in accordance with someimplementations.

FIG. 7B shows a block diagram of an example of some implementations ofelements of FIG. 7A and various possible interconnections between theseelements.

FIG. 8A shows a system diagram of an example of architectural componentsof an on-demand database service environment 900, in accordance withsome implementations.

FIG. 8B shows a system diagram further illustrating an example ofarchitectural components of an on-demand database service environment,in accordance with some implementations.

DETAILED DESCRIPTION

Examples of systems, apparatus, methods and computer program productsaccording to the disclosed implementations are described in thissection. These examples are being provided solely to add context and aidin the understanding of the disclosed implementations. It will thus beapparent to one skilled in the art that implementations may be practicedwithout some or all of these specific details. In other instances,certain operations have not been described in detail to avoidunnecessarily obscuring implementations. Other applications arepossible, such that the following examples should not be taken asdefinitive or limiting either in scope or setting.

In the following detailed description, references are made to theaccompanying drawings, which form a part of the description and in whichare shown, by way of illustration, specific implementations. Althoughthese implementations are described in sufficient detail to enable oneskilled in the art to practice the disclosed implementations, it isunderstood that these examples are not limiting, such that otherimplementations may be used and changes may be made without departingfrom their spirit and scope. For example, the operations of methodsshown and described herein are not necessarily performed in the orderindicated. It should also be understood that the methods may includemore or fewer operations than are indicated. In some implementations,operations described herein as separate operations may be combined.Conversely, what may be described herein as a single operation may beimplemented in multiple operations.

Some implementations of the disclosed systems, apparatus, methods andcomputer program products are configured for providing security modesfor a component-based web security model.

One of the most important considerations in internet technology has beensecurity. The nature of the internet has lent itself to manyvulnerabilities, exploits, and attacks. These may be attacks on the webbrowser on the client side, or exploits based on web application code,on the server side. Cross-site scripting (“XSS”) is an example of amajor vulnerability on the server side. A web application mayinadvertently leave itself open to an XSS exploit, allowing access ofJavaScript code to someone else such as a malicious party. While theparty may have no ability to change the code, it may be able to injectand execute malicious client-side scripts into the web page.

One of the conceptual areas of the internet in which security may becritical is the Document Object Model (“DOM”). A DOM is a programminginterface for Hypertext Markup Language (“HTML”) and Extensible MarkupLanguage (“XML”) documents. The DOM provides a structured, hierarchicalrepresentation of the document, and it defines the ways in which thestructure can be accessed from programs so that they can change thedocument structure, style and content. The DOM provides a representationof the document as a structured group of nodes, objects, elements,and/or components that have properties and methods. The DOM essentiallyserves the purpose of connecting web pages to scripts or components.

Traditionally, standards bodies such as W3C have provided standardizedDOMs that have been implemented in modern browsers. JavaScript code mayutilize the DOM to access the document and its elements. Every elementin the document, including the document as a whole, the head, tables,table headers, and text within table cells, is part of the DOM for thatdocument. All of these elements can be accessed and manipulated usingthe DOM and a scripting language like JavaScript.

Component-based web applications have recently been popularized comparedto single page applications. Web application components (“components”)are small, reusable elements that can combine and interrelate tocomprise a larger web application. Components are highly encapsulated,provide modular functionality, and ideally require no assumptions aboutthe web containers or pages they run in. Component-centric applicationsare becoming a popular way to provide similar user experiences across awide variety of devices, with little or no extra effort for any oneplatform or device.

One major security concern for component-based web applications relatesto the lack of separation and encapsulation between these components inthe web application. In a typical web application, there may beApplication Programming Interface (“API”) components for buildingapplications that may be publicly documented and provided for developersto use in their applications. There may also be additional, private APIsthat were necessary for applications to work, but were not publicallydocumented. While best practices recommend developers to not use suchprivate APIs, it was possible to access them in the DOM. In someinstances, this can lead to the developer, and outside maliciousparties, to have access to any part of the DOM, including globalelements and variables. Custom components, such as widgets and otherelements of a web application, may be able to scrape sensitiveinformation or manipulate elements in various ways.

By way of illustration, Acme is a company with an internal webapplication for its employees. One aspect of the web application is anelement that displays information on the company's relationship with amedical insurance provider, and displays a logged-in employee's accountfor that insurance provider. A separate element is a third-party widgetthat displays the current weather. Within the DOM for this application,the weather widget and the medical insurance element are on separatebranches of the document structure, yet are able to access methods andvariables from each other and from the top layer, the global document.Acme learns that the third-party weather widget had access to theprivate medical information of Acme's employees, because nothing waspreventing the widget from scraping the private information from theDOM. Thus, in this scenario, merely including the weather widget withinthe web application introduces a vulnerability that compromised theprivacy of Acme's employees.

Some of the disclosed techniques can be implemented to provide for acomponent-centric security model for web applications. This modelprovides for the secure encapsulation of DOM elements with fine-grainedaccess control. A secure virtual DOM is implemented for eachencapsulated element, such that developers may think they're workingwith actual components and the actual web document, but are reallyworking with “secure objects” that have been compiled as proxies. Thevirtual DOM is secured by giving custom components access only to thesecure elements and components that the developer has a “key” inphysical memory for. Access is prohibited for private and undocumentedAPI components, as well as components from other developers. In thisway, best security practices may be enforced for developers, and the DOMcan be protected from potential security problems, including scraping,XSS, spoofing, and other exploits.

Some of the disclosed techniques can be provided for implementingsecurity modes within a component-centric security model. Public APIcomponents, such as browser components, within the model can run in a“system mode”, similar to an operating system's system mode, in whichthe public components are provisioned full access to the real DOM, realdocuments, and real objects. Custom and private API components run in a“user mode” in which there is restricted access to the real DOM and realdocuments. These components are only given access to a secure virtualDOM. These secure custom and private components can make method calls toreceive access to elements within other elements. Security componentsrunning in system mode can ensure that the elements are uniquelyidentified by the developer's key, which is stored in physical memory.In this way, system mode has full access to the real DOM and allcomponents, and is capable of provisioning access of elements in variousways to custom components running in user mode.

Applying some implementations of the disclosed techniques, analternative scenario to that described above is provided. In thisalternative scenario, Acme has once again included employee medicalinformation in a section of the web application, and has included athird party custom element for weather within the same section. A DOM isprocessed for the web application, wherein both the medical informationcomponent and the weather component are modeled in a hierarchical treerepresenting the web application. A key is assigned to each component,constituting an object reference of the component in physical memory, inaccordance with the rules of capability security. For each component,one or more accessible components are then identified for which thecomponent can provide a key. A virtual DOM is then generated for eachcomponent, wherein the component and the identified accessiblecomponents for that component are modeled in hierarchical form. Accessis then restricted to all other, inaccessible components for thatcomponent. Since the third party weather widget and the medicalcomponent originated from different developers, they are given separatekeys and are not identified as accessible to one another. The weatherwidget, therefore, has no ability to call functions of the medicalelement, nor scrape sensitive information from the element. Thecomponents are encapsulated, and thus Acme no longer has the problem ofmalicious components exploiting the vulnerabilities of an unsecured DOM.

In addition, Acme can make use of multiple security modes for componentsto facilitate the encapsulation and security of each component. Once theDOM is processed, each API component within the DOM—such as trustedcomponents from authorized public APIs—is assigned to a “system mode”setting. The system mode setting is configured to provide the APIcomponent access to all of the components in the web-based application.One or more secure documents are then generated for each custom or thirdparty component, with each secure document including a key in physicalmemory in accordance with the rules of capability security. Each customcomponent in the DOM is assigned to a “user mode” setting, whereincustom components are provided access only to other components for whichthe custom component can provide the key assigned to the othercomponent. In some implementations, one of the API components isconfigured to determine whether custom components can provide thecorrect key to access other components. In this way, components can beassigned different levels of access for other components in the systemin a way similar to how many operating systems can be run in system oradministrative mode, or user mode.

In some but not all implementations, the disclosed methods, apparatus,systems, and computer-readable storage media may be configured ordesigned for use in a multi-tenant database environment or system.

The term “multi-tenant database system” can refer to those systems inwhich various elements of hardware and software of a database system maybe shared by one or more customers. For example, a given applicationserver may simultaneously process requests for a great number ofcustomers, and a given database table may store rows of data such asfeed items for a potentially much greater number of customers. The term“query plan” generally refers to one or more operations used to accessinformation in a database system.

FIG. 1 shows a system diagram of an example of a system 100 forproviding a security model for component-based web applications, inaccordance with some implementations. System 100 includes a variety ofdifferent hardware and/or software components which are in communicationwith each other. In the non-limiting example of FIG. 1, system 100includes at least one enterprise server 104, at least one client system108, at least one component database 112, and at least one DocumentObject Model (DOM) database 116.

Component database 112 can allow for storage and retrieval of componentswithin a web application. In some implementations, components may beretrieved from a remote server and stored in the component database 112.In some implementations, components in the component database 112 mayinclude custom components, public API components, and private APIcomponents.

Document Object Model (DOM) Database 116 can allow for storage andretrieval of one or more Document Object Models for a web application. ADOM for a web application can be processed by the system 100, such thatcomponents of the web application can be modeled in a hierarchical form.In some implementations, the DOM Database 116 retrieves components fromcomponent database 112 in order to model them hierarchically. In someimplementations, the DOM database 116 includes one or more virtual DOMrepresentations for individual components in the web application.

Enterprise server 104 may communicate with other components of system100. This communication may be facilitated through a combination ofnetworks and interfaces. Enterprise server 104 may handle and processdata requests from the client system 108. Likewise, enterprise server104 may return a response to client system 108 after a data request hasbeen processed. For example, enterprise server 104 may retrieve datafrom one or more databases, such as the component database 112 and thedocument object model database 116. It may combine some or all of thedata from different databases, and send the processed data to clientsystem 108.

Client system 108 may be a computing device capable of communicating viaone or more data networks with a server. Examples of client system 108include a desktop computer or portable electronic device such as asmartphone, a tablet, a laptop, a wearable device such as Google Glass®,another optical head-mounted display (OHMD) device, a smart watch, etc.Client system 108 includes at least one browser in which applicationsmay be deployed.

FIG. 2 shows a flowchart of an example of a method 200 for providing asecurity model for component-based web applications, performed inaccordance with some implementations. Method 200 and other methodsdescribed herein may be implemented using system 100 of FIG. 1, althoughthe implementations of such methods are not limited to system 100.

At block 210, system 100 receives documents for a web-based applicationcontaining one or more custom components and one or more API components.In some implementations, the documents are received through a browser atthe client system 108. In some implementations, the documents maycontain or relate to JavaScript, HTML, XML, or any other code or methodsfor generating web applications. For example, system 100, through abrowser on client system 108, may receive documents from a remote serverwith JavaScript and HTML for generating a web application. Customcomponents may be components that are developed by a specific developerfor use in the developer's application, or third-party components thatare developed for use in the developer's application. In someimplementations, API components may be publicly documented APIcomponents, or private, undocumented API components that are notintended to be accessible to custom components.

In some implementations, system 100 determines whether each APIcomponent is a private API component or a public API component. In someimplementations, the determination is performed by analyzing a list ofpublic API components and/or a list of private API components authorizedby system 100. In some implementations, API components may containmetadata which identifies them as public API components or private APIcomponents.

In some implementations, system 100 assigns a “strict” mode to thedocuments in the web-based application. A strict mode, also known as“use strict”, is a mode applied to JavaScript and potentially other webdocuments and code. In some implementations, in use strict mode, globalobjects cannot be accessed through the one or more components associatedwith the plurality of documents. In some implementations, strict modeprevents the value passed as “this” to provide components access toglobal variables and a global window. Instead, the function “this”returns an undefined, or null value. In this way, the ability to accessthe global elements of a DOM is prohibited.

In some implementations, system 100 assigns a content security policy tothe documents in the web-based application, such that converting astring of code into executable code within the documents is prohibited.The content security policy removes both safe inlines and unsafe evalsfor JavaScript and other documents. With content security policyenforcement, it is no longer possible within a document to convert astring of code into executable code. Instead, a worker frame isgenerated that allows unsafe-inline, and uses dynamically created<script>code</script> tags to convert strings to executable code outsideof the main runtime of the documents.

At block 220, system 100 processes a DOM corresponding to the web-basedapplication, wherein the components are modeled in hierarchical form,including the API components and custom components. In someimplementations, system 100 is configured to generate a DOM for a webapplication based on the characteristics and dependencies of eachcomponent within the web application. An example of a DOM generated orprocessed for a web-application is illustrated in FIG. 5A, which will bedescribed in further detail below.

At block 230, system 100 assigns a key to each custom component. The keyconstitutes an object reference of the custom component, in accordancewith the rules of capability security. Capability security may also beknown as a capability-based security model. Capability security is asecurity model used in the design of secure computing systems. Acapability, hereinafter referred to as a “key”, is a communicable,unforgeable token of authority. A key refers to a value that referencesan object along with an associated set of access rights. A key is neededin order to gain entry and access data and methods within components. Inthis way, a “key-based filtering” is applied to components within webapplications. In some implementations, all objects within a DOM, as wellas a DOM or virtual DOM, are either stamped with a key or not. In someimplementations, non-keyed objects are only accessible with a “masterkey” that contains access rights for all objects. In someimplementations, code within a custom component must possess or includethe correct key to access any given object. In some implementations,methods within custom components also provide a key-based filtered viewof all results sets. For example, invoking afindElementsByTagName(“div”) method may return only the <div> tags inthe underlying document that were keyed with the calling component'skey.

In some implementations, for each custom component, system 100determines one or more namespace identifications for a developerassociated with the custom component. Namespace identifications may beany identification for a given organization, company, developer, or anyother party utilizing system 100 in any capacity. A namespace for oneparty may be different from another party.

In some implementations, keys are assigned to custom components based onthe one or more namespace identifications of the developer associatedwith the custom component, and keyed components may be incompatible withone another based on the one or more namespace identifications. In someimplementations, a namespace may be a company name. Any custom componentwithin that specific namespace can provide the key for, and access,other custom components within the namespace. In some implementations,identification or associations other than namespace may be used toassign keys.

At block 240, for each custom component, system 100 identifies one ormore accessible custom components the custom component can provide a keyfor. In some implementations, system 100 determines which customcomponents a custom component can provide a proper key for, and assignsan association between those custom components. In some implementations,the identification can be based on namespace or other identification orassociation method.

At block 250, system 100 generates a virtual DOM for each customcomponent corresponding to the web-based application. The customcomponent and identified accessible custom components are modeled inhierarchical form within the virtual DOM. In some implementations,public API components of the web application are modeled in hierarchicalform as well. In some implementations, the virtual DOM may be modeled inthe same way a standard DOM is modeled by system 100, but withcomponents that cannot be accessed by that particular component blockedoff, made invisible, or designated as inaccessible. Examples of virtualDOM hierarchies are illustrated in FIG. 6B and FIG. 6C, which will bedescribed in further detail below.

At block 260, for each custom component, system 100 restricts access ofthe custom component to all inaccessible components the custom componentcannot provide a key for. In some implementations, within the virtualDOM all inaccessible components will be blocked off, invisible ordesignated as inaccessible by the custom component in question. In someimplementations, if the custom component attempts to make method callsof inaccessible components, or use variables or code of inaccessiblecomponents, system 100 will return an exception or error message. Insome implementations, access to the real, original DOM of the web-basedapplication is restricted for each custom component. Rather thanaccessing the DOM and global variables directly, custom components workwithin the virtual DOM, wherein access to components is limited based onthe security model.

In some implementations, system 100 restricts access of customcomponents to all private API components. Within the component-basedsecurity model, private, undocumented API components are prohibited frombeing accessed by custom components and by developers working with thosecustom components.

FIG. 3 shows a flowchart of an example of a method 300 for providingsecurity modes for a component-based web security model, performed inaccordance with some implementations. Method 300 and other methodsdescribed herein may be implemented using system 100 of FIG. 1, althoughthe implementations of such methods are not limited to system 100.

At block 310, system 100 receives documents for a web-based applicationcontaining multiple components, the components consisting of multiplecustom components and multiple API components. In some implementations,the documents are received through a browser at the client system 108.In some implementations, the documents may contain or relate toJavaScript, HTML, XML, or any other code or methods for generating webapplications. For example, system 100, through a browser on clientsystem 108, may receive documents from a remote server with JavaScriptand HTML for generating a web application. Custom components may becomponents that are developed by a specific developer for use in thedeveloper's application, or third-party components that are developedfor use in the developer's application. In some implementations, APIcomponents may be publicly documented API components, or private,undocumented API components that are not intended to be accessible tocustom components. In some implementations, system 100 determines theAPI components are trusted or verified in some way within the system. Insome implementations, system 100 determines the API components aretrusted or verified by analyzing a whitelist of components and/ordomains that are trusted or verified.

In some implementations, system 100 determines whether each APIcomponent is a private API component or a public API component. In someimplementations, the determination is performed by analyzing a list ofpublic API components and/or a list of private API components authorizedby system 100. In some implementations, API components may containmetadata which identifies them as public API components or private APIcomponents.

At block 320, system 100 processes a DOM corresponding to the web-basedapplication, wherein the components are modeled in hierarchical form. Insome implementations, system 100 is configured to generate a DOM for aweb application based on the characteristics and dependencies of eachcomponent within the web application.

At block 330, system 100 assigns each API component to a system modesetting. The system mode setting is configured to provide the APIcomponent access to all of the components in the web-based application.For example, in a web-based application with several public and privateAPI components and several custom components, the API components willall have access to the full number of components, their methods, andtheir data.

At block 340, system 100 generates one or more secure documents for eachcustom component. A secure document is a document that consists of mostor all of the contents of the original document within the customcomponent. Each secure document contains a key constituting an objectreference of the custom component, such that the custom component isaccessible only to other components possessing the key in the user modesetting and to API components in the system mode setting, in accordancewith the rules of capability security. Since a custom component in usermode must possess the key of another component in user mode in order toaccess it, a developer may only be able to work with a limited set ofsecure documents pertaining to the accessible components. In someimplementations, the developer will not have access to or ability tomanipulate the original documents. In some implementations, upongenerating the one or more secure documents for a custom component,access to the one or more original documents associated with the customcomponent is prohibited to all components except for API components

In some implementations, system 100 provides keys for all customcomponents to all API components assigned to a system mode setting. Thisuniversal access to keys by system mode API components is sometimescalled a “master key.” Since API components are trusted, authorizedcomponents that can access the original DOM and all global elements,they are also trusted with access to all of the custom components, andthey are capable of unlocking any component's capability securitymechanism with this master key.

In some implementations, system 100 determines, by an API componentassigned to a system mode setting, that a custom component assigned to auser mode setting can provide the key to another custom componentassigned to a user mode setting. An API component may therefore act as asecurity gatekeeper for ensuring that components have the proper keys tobe able to access keyed components. In some implementations, the APIcomponent has master key access to all components, so it may serve thissecurity gatekeeper role by regulating component access to othercomponents.

In some implementations, system 100 generates a stamp associated witheach custom component, wherein the stamp uniquely identifies acapability security mechanism, or “lock”, associated with the customcomponent, and prevents the lock from being spoofed or copied as part ofan attack or exploit. In some situations, despite the security offeredby providing a key for a lock to access a component, a malicious partymay spoof the lock itself, or otherwise tamper with the capabilitysecurity mechanism. To prevent this, a stamp may be generated thatuniquely identifies the lock, and system 100 stores and keeps track ofall locks created in the session. If a lock does not match a stamp, thensystem 100 prohibits the key from being used in the lock, even if thekey provided may fit that lock. This prevents malicious parties fromspoofing and bypassing security functions within the security model. Insome implementations, system 100 determines, upon a component providinga key for another component, that the capability security mechanism ofthe other component is associated with the stamp for that othercomponent.

At block 350, system 100 assigns each component to a user mode setting.The user mode setting is configured to provide custom components accessonly to other components in the web-based application for which thecustom component can provide the key assigned to the other component.

In some implementations, for each component, system 100 restricts accessto other custom components for which the custom component cannot providethe key. In some implementations, access may be restricted by blockingoff visibility and access within a virtual DOM. In some implementations,for each component, system 100 restricts access to private APIcomponents. Such restricted access promotes best security practices bypreventing developers access to private, undocumented APIs that are notdesigned to be accessed publicly and that can contain security exploits.In some implementations, components within the user mode setting areprovided access by system 100 to public API components. Since public APIcomponents are documented, authorized, and fully available fordevelopers to use, they are allowed to be visible and accessible tocustom components.

In some implementation, one or more additional security modes may bepresent that are different and distinguishable from the system mode anduser mode described above. In some implementations, an additionalsecurity mode restricts access of a component to one or more othercomponents. In some implementations, an additional security modeprovides access of the component to one or more other components. Itwill be appreciated that a wide variety of security modes may exist,providing various degrees and types of granularity and access control ofparts of the DOM to components.

FIG. 4 shows an example of a component-based web application, inaccordance with some implementations. Multiple components are presentwithin the web application, and combine together to create a functionalapplication. In some implementation, the view as shown in FIG. 4 is theview that is presented to a client using client system 108. In someimplementations, a browser may display the view within the client system108.

The ui:button component 410 is a button component of the webapplication. The button serves the purpose of updating all of the othercomponents within the web application. In some implementations, when auser clicks on the button, system 100 retrieves the latest data from theother components by calling their methods. The button component is aprivate API component, and is undocumented. ns1:weather component 420 isa weather component that serves the purpose of presenting up-to-dateweather to the user. In this example, the weather component displays thetemperature, day, date, chance of rain, and other weather informationbased on a user's location. ns1:map component 430 is a map componentthat shows the location of the user and surrounding area within a mapdisplayable to the user. ns2:finance component 440 is a financecomponent that shows details of the user's finances. In this example, itdisplays the name of a customer, and the balance of that customer indollars.

FIG. 5A, FIG. 5B, and FIG. 5C are examples of a component-based webapplication operating under a traditional security model, rather thanthe component-based security model described herein.

FIG. 5A is an example of a DOM representing a component-based webapplication in a traditional security model, in accordance with someimplementations. Window 510 represents the window of a web-applicationthat contains the content displayed for that web application. Real DOM512 is a real, non-virtual DOM that the system processes for the givenweb application. Within real DOM 512, the document and its objects aredisplayed. Document object 520 is at the top of the hierarchy, as it isthe main <document> tag that contains all of the contents for thedocument. Under the document object 520 are a head object 522, htmlobject 521, and body object 523. Under the body object 523 are branchingcomponents for a button object 525, weather object 526, map object 528,and finance object 527. The button object 525 is a private APIcomponent, while the weather object 526, map object 528, and financeobject 527 are all custom components.

FIG. 5B is an example of a DOM in a traditional security model withJavaScript functions being called, in accordance with someimplementations. Window 530, real DOM 540, and the DOM hierarchy 550 aredepicted, as in FIG. 5A. JavaScript functions 560-565 depict functionsfor the button, public API, private API, finance, weather, and mapcomponents being called by the various components. Within thistraditional security model, any JavaScript of any component can call anyJavaScript functions of any other component, as they are all loaded intothe DOM. Any JavaScript can also call any undocumented, private APIcomponent. In addition, any JavaScript can access the real DOM, andreceive rendered data from other components. Finally, as there is nosecurity review of components, a number of security issues can bepresent within this example, including cross-site scripting.

FIG. 5C is an example of the included components within a webapplication under the traditional security model, in accordance withsome implementations. FIG. 5C shows the ui:button component 570, thens1:weather component 572, the ns1:map component 574 that is dependenton the weather component 572, and the ns2:finance component 576.

FIG. 6A, FIG. 6B, and FIG. 6C are examples of a component-based webapplication operating under a component-based security model withsecurity modes.

FIG. 6A is an example of DOMs for encapsulated components in a webapplication under a component-based security model, in accordance withsome implementations.

Under this component-based security model, in some implementations thecomponents may be divided between two or more security modes. In thisexample, custom components are assigned to a user mode 610, while APIcomponents are assigned to a system mode 630. The system mode 630includes an button component 632, consisting of a window containing areal DOM, with all objects within the web application represented in ahierarchical form. The button component is a private API component inthis example; in some implementations, this means that the API componenthas not been publicly documented, and is not publicly accessible orintended to be called by developers. Within the system mode 630, publicand private APIs have full access to the real DOM and real document ofthe web application, including methods of the components. In addition,custom components will only be able to access public and documented APIcomponents, and won't be able to access private, undocumented APIs. Inthis example, the private API JavaScript 634 is accessible to the buttoncomponent 632, but not to any of the components in user mode 610.

Weather and map components 620 and finance component 622 are assigned touser mode 610. These components are custom components. The weather andmap components 620 are third-party components that have been written bya third party rather than the web application's developers. The financecomponent 622, however, is a custom component written by the webapplication's developers. The weather and map components 620 areassigned virtual DOMs that appear identical. The finance component 622is assigned a virtual DOM that appears different. In this example,namespace of organizations within system 100 determines keys and access.In some implementations, keys are assigned to all components. Theweather and map components are assigned keys based on the namespace ofthe third party developer, and will possess keys such that they areaccessible to each other. This is reflected in the secure DOM hierarchyfor the weather and map components, which depicts the weather and mapcomponents being visible and accessible, but the button and financecomponents being crossed out and inaccessible. This is because thebutton component is a private API that cannot be viewed or accessed bycustom components in user mode 610, and the finance button is a customcomponent that is in a different namespace and has a key that theweather and map components do not possess. The finance component 622,meanwhile, has the button, weather, and map components crossed out andinaccessible, because they are, respectively, a private API component,and two third-party custom components under a different namespace thatthe finance component does not possess the key for. In this way, privateAPI components such as button component 632 and private API JavaScript634 and inaccessible to the custom components in the user mode 610.Custom components are also inaccessible to each other if they do notpossess the key for each other. Component JavaScript 624 is sometimesaccessible to custom components depending on if a component possessesthe key to access it. Public API JavaScript 626 is always accessible tocustom components. Public API components and JavaScript are trusted andpublicly documents, and are intended for use by developers. Thus,accessing these API components is necessary for proper functionality ofweb applications using public APIs.

FIG. 6B is an example of a virtual DOM for a custom component under acomponent-based security model, in accordance with some implementations.

A weather component and a map component, 640, are illustrated. System100 processes or generates a secure, virtual DOM 642 for the weathercomponent. The map component is a dependent child of the weathercomponent. Within the secure DOM 642, objects are modeled inhierarchical form, with access and visibility presented only foridentified components that are public API components or are customcomponents for which the weather component possesses a key. Here, anbutton component 644 is crossed out and inaccessible, as it is a privateAPI component that user mode components cannot access. A financecomponent 646 is also crossed out and inaccessible, because it is acustom component in a different namespace, from a different developer,and the weather component does not possess the key for the financecomponent. The weather component does have full access and visibility toitself as shown in weather component 648, and also have full access andvisibility to its dependent component, map component 650.

FIG. 6C is an example of a virtual DOM for a custom component under acomponent-based security model, in accordance with some implementations.

A finance component 660 is illustrated. System 100 processes orgenerates a secure, virtual DOM 670 for the finance component. Withinthe secure DOM 670, objects are modeled in hierarchical form, withaccess and visibility presented only for identified components that arepublic API components or are custom components for which the financecomponent possesses a key. Here, an button 672 is crossed out andinaccessible, as it is a private API component that user mode componentscannot access. The weather and map components 674 are also crossed outand inaccessible, because they are third party custom components in adifferent namespace, from a different developer, and the financecomponent does not possess the keys for the weather and map components.The finance component does have full access and visibility to itself asshown in finance component 676.

Systems, apparatus, and methods are described below for implementingdatabase systems and enterprise level social and business informationnetworking systems in conjunction with the disclosed techniques. Suchimplementations can provide more efficient use of a database system. Forinstance, a user of a database system may not easily know when importantinformation in the database has changed, e.g., about a project orclient. Such implementations can provide feed tracked updates about suchchanges and other events, thereby keeping users informed.

By way of example, a user can update a record in the form of a CRMrecord, e.g., an opportunity such as a possible sale of 1000 computers.Once the record update has been made, a feed tracked update about therecord update can then automatically be provided, e.g., in a feed, toanyone subscribing to the opportunity or to the user. Thus, the userdoes not need to contact a manager regarding the change in theopportunity, since the feed tracked update about the update is sent viaa feed to the manager's feed page or other page.

FIG. 7A shows a block diagram of an example of an environment 10 inwhich an on-demand database service exists and can be used in accordancewith some implementations. Environment 10 may include user systems 12,network 14, database system 16, processor system 17, applicationplatform 18, network interface 20, tenant data storage 22, system datastorage 24, program code 26, and process space 28. In otherimplementations, environment 10 may not have all of these componentsand/or may have other components instead of, or in addition to, thoselisted above.

A user system 12 may be implemented as any computing device(s) or otherdata processing apparatus such as a machine or system used by a user toaccess a database system 16. For example, any of user systems 12 can bea handheld and/or portable computing device such as a mobile phone, asmartphone, a laptop computer, or a tablet. Other examples of a usersystem include computing devices such as a work station and/or a networkof computing devices. As illustrated in FIG. 7A (and in more detail inFIG. 7B) user systems 12 might interact via a network 14 with anon-demand database service, which is implemented in the example of FIG.7A as database system 16.

An on-demand database service, implemented using system 16 by way ofexample, is a service that is made available to users who do not need tonecessarily be concerned with building and/or maintaining the databasesystem. Instead, the database system may be available for their use whenthe users need the database system, i.e., on the demand of the users.Some on-demand database services may store information from one or moretenants into tables of a common database image to form a multi-tenantdatabase system (MTS). A database image may include one or more databaseobjects. A relational database management system (RDBMS) or theequivalent may execute storage and retrieval of information against thedatabase object(s). A non-relational database management system (NRDBMS)or the equivalent may execute storage and fast retrieval of large setsof information against the database object(s). Application platform 18may be a framework that allows the applications of system 16 to run,such as the hardware and/or software, e.g., the operating system. Insome implementations, application platform 18 enables creation, managingand executing one or more applications developed by the provider of theon-demand database service, users accessing the on-demand databaseservice via user systems 12, or third party application developersaccessing the on-demand database service via user systems 12.

The users of user systems 12 may differ in their respective capacities,and the capacity of a particular user system 12 might be entirelydetermined by permissions (permission levels) for the current user. Forexample, when a salesperson is using a particular user system 12 tointeract with system 16, the user system has the capacities allotted tothat salesperson. However, while an administrator is using that usersystem to interact with system 16, that user system has the capacitiesallotted to that administrator. In systems with a hierarchical rolemodel, users at one permission level may have access to applications,data, and database information accessible by a lower permission leveluser, but may not have access to certain applications, databaseinformation, and data accessible by a user at a higher permission level.Thus, different users will have different capabilities with regard toaccessing and modifying application and database information, dependingon a user's security or permission level, also called authorization.

Network 14 is any network or combination of networks of devices thatcommunicate with one another. For example, network 14 can be any one orany combination of a LAN (local area network), WAN (wide area network),telephone network, wireless network, point-to-point network, starnetwork, token ring network, hub network, or other appropriateconfiguration. Network 14 can include a TCP/IP (Transfer ControlProtocol and Internet Protocol) network, such as the global internetworkof networks often referred to as the Internet. The Internet will be usedin many of the examples herein. However, it should be understood thatthe networks that the present implementations might use are not solimited.

User systems 12 might communicate with system 16 using TCP/IP and, at ahigher network level, use other common Internet protocols tocommunicate, such as HTTP, FTP, AFS, WAP, etc. In an example where HTTPis used, user system 12 might include an HTTP client commonly referredto as a “browser” for sending and receiving HTTP signals to and from anHTTP server at system 16. Such an HTTP server might be implemented asthe sole network interface 20 between system 16 and network 14, butother techniques might be used as well or instead. In someimplementations, the network interface 20 between system 16 and network14 includes load sharing functionality, such as round-robin HTTP requestdistributors to balance loads and distribute incoming HTTP requestsevenly over a plurality of servers. At least for users accessing system16, each of the plurality of servers has access to the MTS' data;however, other alternative configurations may be used instead.

In one implementation, system 16, shown in FIG. 7A, implements aweb-based CRM system. For example, in one implementation, system 16includes application servers configured to implement and execute CRMsoftware applications as well as provide related data, code, forms, webpages and other information to and from user systems 12 and to store to,and retrieve from, a database system related data, objects, and Webpagecontent. With a multi-tenant system, data for multiple tenants may bestored in the same physical database object in tenant data storage 22,however, tenant data typically is arranged in the storage medium(s) oftenant data storage 22 so that data of one tenant is kept logicallyseparate from that of other tenants so that one tenant does not haveaccess to another tenant's data, unless such data is expressly shared.In certain implementations, system 16 implements applications otherthan, or in addition to, a CRM application. For example, system 16 mayprovide tenant access to multiple hosted (standard and custom)applications, including a CRM application. User (or third partydeveloper) applications, which may or may not include CRM, may besupported by the application platform 18, which manages creation,storage of the applications into one or more database objects andexecuting of the applications in a virtual machine in the process spaceof the system 16.

One arrangement for elements of system 16 is shown in FIGS. 7A and 7B,including a network interface 20, application platform 18, tenant datastorage 22 for tenant data 23, system data storage 24 for system data 25accessible to system 16 and possibly multiple tenants, program code 26for implementing various functions of system 16, and a process space 28for executing MTS system processes and tenant-specific processes, suchas running applications as part of an application hosting service.Additional processes that may execute on system 16 include databaseindexing processes.

Several elements in the system shown in FIG. 7A include conventional,well-known elements that are explained only briefly here. For example,each user system 12 could include a desktop personal computer,workstation, laptop, PDA, cell phone, or any wireless access protocol(WAP) enabled device or any other computing device capable ofinterfacing directly or indirectly to the Internet or other networkconnection. The term “computing device” is also referred to hereinsimply as a “computer”. User system 12 typically runs an HTTP client,e.g., a browsing program, such as Microsoft's Internet Explorer browser,Netscape's Navigator browser, Opera's browser, or a WAP-enabled browserin the case of a cell phone, PDA or other wireless device, or the like,allowing a user (e.g., subscriber of the multi-tenant database system)of user system 12 to access, process and view information, pages andapplications available to it from system 16 over network 14. Each usersystem 12 also typically includes one or more user input devices, suchas a keyboard, a mouse, trackball, touch pad, touch screen, pen or thelike, for interacting with a GUI provided by the browser on a display(e.g., a monitor screen, LCD display, OLED display, etc.) of thecomputing device in conjunction with pages, forms, applications andother information provided by system 16 or other systems or servers.Thus, “display device” as used herein can refer to a display of acomputer system such as a monitor or touch-screen display, and can referto any computing device having display capabilities such as a desktopcomputer, laptop, tablet, smartphone, a television set-top box, orwearable device such Google Glass® or other human body-mounted displayapparatus. For example, the display device can be used to access dataand applications hosted by system 16, and to perform searches on storeddata, and otherwise allow a user to interact with various GUI pages thatmay be presented to a user. As discussed above, implementations aresuitable for use with the Internet, although other networks can be usedinstead of or in addition to the Internet, such as an intranet, anextranet, a virtual private network (VPN), a non-TCP/IP based network,any LAN or WAN or the like.

According to one implementation, each user system 12 and all of itscomponents are operator configurable using applications, such as abrowser, including computer code run using a central processing unitsuch as an Intel Pentium® processor or the like. Similarly, system 16(and additional instances of an MTS, where more than one is present) andall of its components might be operator configurable usingapplication(s) including computer code to run using processor system 17,which may be implemented to include a central processing unit, which mayinclude an Intel Pentium® processor or the like, and/or multipleprocessor units. Non-transitory computer-readable media can haveinstructions stored thereon/in, that can be executed by or used toprogram a computing device to perform any of the methods of theimplementations described herein. Computer program code 26 implementinginstructions for operating and configuring system 16 to intercommunicateand to process web pages, applications and other data and media contentas described herein is preferably downloadable and stored on a harddisk, but the entire program code, or portions thereof, may also bestored in any other volatile or non-volatile memory medium or device asis well known, such as a ROM or RAM, or provided on any media capable ofstoring program code, such as any type of rotating media includingfloppy disks, optical discs, digital versatile disk (DVD), compact disk(CD), microdrive, and magneto-optical disks, and magnetic or opticalcards, nanosystems (including molecular memory ICs), or any other typeof computer-readable medium or device suitable for storing instructionsand/or data. Additionally, the entire program code, or portions thereof,may be transmitted and downloaded from a software source over atransmission medium, e.g., over the Internet, or from another server, asis well known, or transmitted over any other conventional networkconnection as is well known (e.g., extranet, VPN, LAN, etc.) using anycommunication medium and protocols (e.g., TCP/IP, HTTP, HTTPS, Ethernet,etc.) as are well known. It will also be appreciated that computer codefor the disclosed implementations can be realized in any programminglanguage that can be executed on a client system and/or server or serversystem such as, for example, C, C++, HTML, any other markup language,Java™, JavaScript, ActiveX, any other scripting language, such asVBScript, and many other programming languages as are well known may beused. (Java™ is a trademark of Sun Microsystems, Inc.).

According to some implementations, each system 16 is configured toprovide web pages, forms, applications, data and media content to user(client) systems 12 to support the access by user systems 12 as tenantsof system 16. As such, system 16 provides security mechanisms to keepeach tenant's data separate unless the data is shared. If more than oneMTS is used, they may be located in close proximity to one another(e.g., in a server farm located in a single building or campus), or theymay be distributed at locations remote from one another (e.g., one ormore servers located in city A and one or more servers located in cityB). As used herein, each MTS could include one or more logically and/orphysically connected servers distributed locally or across one or moregeographic locations. Additionally, the term “server” is meant to referto one type of computing device such as a system including processinghardware and process space(s), an associated storage medium such as amemory device or database, and, in some instances, a databaseapplication (e.g., OODBMS or RDBMS) as is well known in the art. Itshould also be understood that “server system” and “server” are oftenused interchangeably herein. Similarly, the database objects describedherein can be implemented as single databases, a distributed database, acollection of distributed databases, a database with redundant online oroffline backups or other redundancies, etc., and might include adistributed database or storage network and associated processingintelligence.

FIG. 7B shows a block diagram of an example of some implementations ofelements of FIG. 7A and various possible interconnections between theseelements. That is, FIG. 7B also illustrates environment 10. However, inFIG. 7B elements of system 16 and various interconnections in someimplementations are further illustrated. FIG. 7B shows that user system12 may include processor system 12A, memory system 12B, input system12C, and output system 12D. FIG. 7B shows network 14 and system 16. FIG.7B also shows that system 16 may include tenant data storage 22, tenantdata 23, system data storage 24, system data 25, User Interface (UI) 30,Application Program Interface (API) 32, PL/SOQL 34, save routines 36,application setup mechanism 38, application servers 50 ₁-50 _(N), systemprocess space 52, tenant process spaces 54, tenant management processspace 60, tenant storage space 62, user storage 64, and applicationmetadata 66. In other implementations, environment 10 may not have thesame elements as those listed above and/or may have other elementsinstead of, or in addition to, those listed above.

User system 12, network 14, system 16, tenant data storage 22, andsystem data storage 24 were discussed above in FIG. 7A. Regarding usersystem 12, processor system 12A may be any combination of one or moreprocessors. Memory system 12B may be any combination of one or morememory devices, short term, and/or long term memory. Input system 12Cmay be any combination of input devices, such as one or more keyboards,mice, trackballs, scanners, cameras, and/or interfaces to networks.Output system 12D may be any combination of output devices, such as oneor more monitors, printers, and/or interfaces to networks. As shown byFIG. 7B, system 16 may include a network interface 20 (of FIG. 7A)implemented as a set of application servers 50, an application platform18, tenant data storage 22, and system data storage 24. Also shown issystem process space 52, including individual tenant process spaces 54and a tenant management process space 60. Each application server 50 maybe configured to communicate with tenant data storage 22 and the tenantdata 23 therein, and system data storage 24 and the system data 25therein to serve requests of user systems 12. The tenant data 23 mightbe divided into individual tenant storage spaces 62, which can be eithera physical arrangement and/or a logical arrangement of data. Within eachtenant storage space 62, user storage 64 and application metadata 66might be similarly allocated for each user. For example, a copy of auser's most recently used (MRU) items might be stored to user storage64. Similarly, a copy of MRU items for an entire organization that is atenant might be stored to tenant storage space 62. A UI 30 provides auser interface and an API 32 provides an application programmerinterface to system 16 resident processes to users and/or developers atuser systems 12. The tenant data and the system data may be stored invarious databases, such as one or more Oracle® databases.

Application platform 18 includes an application setup mechanism 38 thatsupports application developers' creation and management ofapplications, which may be saved as metadata into tenant data storage 22by save routines 36 for execution by subscribers as one or more tenantprocess spaces 54 managed by tenant management process 60 for example.Invocations to such applications may be coded using PL/SOQL 34 thatprovides a programming language style interface extension to API 32. Adetailed description of some PL/SOQL language implementations isdiscussed in commonly assigned U.S. Pat. No. 7,730,478, titled METHODAND SYSTEM FOR ALLOWING ACCESS TO DEVELOPED APPLICATIONS VIA AMULTI-TENANT ON-DEMAND DATABASE SERVICE, by Craig Weissman, issued onJun. 1, 2010, and hereby incorporated by reference in its entirety andfor all purposes. Invocations to applications may be detected by one ormore system processes, which manage retrieving application metadata 66for the subscriber making the invocation and executing the metadata asan application in a virtual machine.

Each application server 50 may be communicably coupled to databasesystems, e.g., having access to system data 25 and tenant data 23, via adifferent network connection. For example, one application server 50 ₁might be coupled via the network 14 (e.g., the Internet), anotherapplication server 50 _(N-1) might be coupled via a direct network link,and another application server 50 _(N) might be coupled by yet adifferent network connection. Transfer Control Protocol and InternetProtocol (TCP/IP) are typical protocols for communicating betweenapplication servers 50 and the database system. However, it will beapparent to one skilled in the art that other transport protocols may beused to optimize the system depending on the network interconnect used.

In certain implementations, each application server 50 is configured tohandle requests for any user associated with any organization that is atenant. Because it is desirable to be able to add and remove applicationservers from the server pool at any time for any reason, there ispreferably no server affinity for a user and/or organization to aspecific application server 50. In one implementation, therefore, aninterface system implementing a load balancing function (e.g., an F5Big-IP load balancer) is communicably coupled between the applicationservers 50 and the user systems 12 to distribute requests to theapplication servers 50. In one implementation, the load balancer uses aleast connections algorithm to route user requests to the applicationservers 50. Other examples of load balancing algorithms, such as roundrobin and observed response time, also can be used. For example, incertain implementations, three consecutive requests from the same usercould hit three different application servers 50, and three requestsfrom different users could hit the same application server 50. In thismanner, by way of example, system 16 is multi-tenant, wherein system 16handles storage of, and access to, different objects, data andapplications across disparate users and organizations.

As an example of storage, one tenant might be a company that employs asales force where each salesperson uses system 16 to manage their salesprocess. Thus, a user might maintain contact data, leads data, customerfollow-up data, performance data, goals and progress data, etc., allapplicable to that user's personal sales process (e.g., in tenant datastorage 22). In an example of a MTS arrangement, since all of the dataand the applications to access, view, modify, report, transmit,calculate, etc., can be maintained and accessed by a user system havingnothing more than network access, the user can manage his or her salesefforts and cycles from any of many different user systems. For example,if a salesperson is visiting a customer and the customer has Internetaccess in their lobby, the salesperson can obtain critical updates as tothat customer while waiting for the customer to arrive in the lobby.

While each user's data might be separate from other users' dataregardless of the employers of each user, some data might beorganization-wide data shared or accessible by a plurality of users orall of the users for a given organization that is a tenant. Thus, theremight be some data structures managed by system 16 that are allocated atthe tenant level while other data structures might be managed at theuser level. Because an MTS might support multiple tenants includingpossible competitors, the MTS should have security protocols that keepdata, applications, and application use separate. Also, because manytenants may opt for access to an MTS rather than maintain their ownsystem, redundancy, up-time, and backup are additional functions thatmay be implemented in the MTS. In addition to user-specific data andtenant-specific data, system 16 might also maintain system level datausable by multiple tenants or other data. Such system level data mightinclude industry reports, news, postings, and the like that are sharableamong tenants.

In certain implementations, user systems 12 (which may be clientsystems) communicate with application servers 50 to request and updatesystem-level and tenant-level data from system 16 that may involvesending one or more queries to tenant data storage 22 and/or system datastorage 24. System 16 (e.g., an application server 50 in system 16)automatically generates one or more SQL statements (e.g., one or moreSQL queries) that are designed to access the desired information. Systemdata storage 24 may generate query plans to access the requested datafrom the database.

Each database can generally be viewed as a collection of objects, suchas a set of logical tables, containing data fitted into predefinedcategories. A “table” is one representation of a data object, and may beused herein to simplify the conceptual description of objects and customobjects according to some implementations. It should be understood that“table” and “object” may be used interchangeably herein. Each tablegenerally contains one or more data categories logically arranged ascolumns or fields in a viewable schema. Each row or record of a tablecontains an instance of data for each category defined by the fields.For example, a CRM database may include a table that describes acustomer with fields for basic contact information such as name,address, phone number, fax number, etc. Another table might describe apurchase order, including fields for information such as customer,product, sale price, date, etc. In some multi-tenant database systems,standard entity tables might be provided for use by all tenants. For CRMdatabase applications, such standard entities might include tables forcase, account, contact, lead, and opportunity data objects, eachcontaining pre-defined fields. It should be understood that the word“entity” may also be used interchangeably herein with “object” and“table”.

In some multi-tenant database systems, tenants may be allowed to createand store custom objects, or they may be allowed to customize standardentities or objects, for example by creating custom fields for standardobjects, including custom index fields. Commonly assigned U.S. Pat. No.7,779,039, titled CUSTOM ENTITIES AND FIELDS IN A MULTI-TENANT DATABASESYSTEM, by Weissman et al., issued on Aug. 17, 2010, and herebyincorporated by reference in its entirety and for all purposes, teachessystems and methods for creating custom objects as well as customizingstandard objects in a multi-tenant database system. In certainimplementations, for example, all custom entity data rows are stored ina single multi-tenant physical table, which may contain multiple logicaltables per organization. It is transparent to customers that theirmultiple “tables” are in fact stored in one large table or that theirdata may be stored in the same table as the data of other customers.

FIG. 8A shows a system diagram of an example of architectural componentsof an on-demand database service environment 900, in accordance withsome implementations. A client machine located in the cloud 904,generally referring to one or more networks in combination, as describedherein, may communicate with the on-demand database service environmentvia one or more edge routers 908 and 912. A client machine can be any ofthe examples of user systems 12 described above. The edge routers maycommunicate with one or more core switches 920 and 924 via firewall 916.The core switches may communicate with a load balancer 928, which maydistribute server load over different pods, such as the pods 940 and944. The pods 940 and 944, which may each include one or more serversand/or other computing resources, may perform data processing and otheroperations used to provide on-demand services. Communication with thepods may be conducted via pod switches 932 and 936. Components of theon-demand database service environment may communicate with a databasestorage 956 via a database firewall 948 and a database switch 952.

As shown in FIGS. 8A and 8B, accessing an on-demand database serviceenvironment may involve communications transmitted among a variety ofdifferent hardware and/or software components. Further, the on-demanddatabase service environment 900 is a simplified representation of anactual on-demand database service environment. For example, while onlyone or two devices of each type are shown in FIGS. 8A and 8B, someimplementations of an on-demand database service environment may includeanywhere from one to many devices of each type. Also, the on-demanddatabase service environment need not include each device shown in FIGS.8A and 8B, or may include additional devices not shown in FIGS. 8A and8B.

Moreover, one or more of the devices in the on-demand database serviceenvironment 900 may be implemented on the same physical device or ondifferent hardware. Some devices may be implemented using hardware or acombination of hardware and software. Thus, terms such as “dataprocessing apparatus,” “machine,” “server” and “device” as used hereinare not limited to a single hardware device, but rather include anyhardware and software configured to provide the described functionality.

The cloud 904 is intended to refer to a data network or combination ofdata networks, often including the Internet. Client machines located inthe cloud 904 may communicate with the on-demand database serviceenvironment to access services provided by the on-demand databaseservice environment. For example, client machines may access theon-demand database service environment to retrieve, store, edit, and/orprocess information.

In some implementations, the edge routers 908 and 912 route packetsbetween the cloud 904 and other components of the on-demand databaseservice environment 900. The edge routers 908 and 912 may employ theBorder Gateway Protocol (BGP). The BGP is the core routing protocol ofthe Internet. The edge routers 908 and 912 may maintain a table of IPnetworks or ‘prefixes’, which designate network reachability amongautonomous systems on the Internet.

In one or more implementations, the firewall 916 may protect the innercomponents of the on-demand database service environment 900 fromInternet traffic. The firewall 916 may block, permit, or deny access tothe inner components of the on-demand database service environment 900based upon a set of rules and other criteria. The firewall 916 may actas one or more of a packet filter, an application gateway, a statefulfilter, a proxy server, or any other type of firewall.

In some implementations, the core switches 920 and 924 are high-capacityswitches that transfer packets within the on-demand database serviceenvironment 900. The core switches 920 and 924 may be configured asnetwork bridges that quickly route data between different componentswithin the on-demand database service environment. In someimplementations, the use of two or more core switches 920 and 924 mayprovide redundancy and/or reduced latency.

In some implementations, the pods 940 and 944 may perform the core dataprocessing and service functions provided by the on-demand databaseservice environment. Each pod may include various types of hardwareand/or software computing resources. An example of the pod architectureis discussed in greater detail with reference to FIG. 8B.

In some implementations, communication between the pods 940 and 944 maybe conducted via the pod switches 932 and 936. The pod switches 932 and936 may facilitate communication between the pods 940 and 944 and clientmachines located in the cloud 904, for example via core switches 920 and924. Also, the pod switches 932 and 936 may facilitate communicationbetween the pods 940 and 944 and the database storage 956.

In some implementations, the load balancer 928 may distribute workloadbetween the pods 940 and 944. Balancing the on-demand service requestsbetween the pods may assist in improving the use of resources,increasing throughput, reducing response times, and/or reducingoverhead. The load balancer 928 may include multilayer switches toanalyze and forward traffic.

In some implementations, access to the database storage 956 may beguarded by a database firewall 948. The database firewall 948 may act asa computer application firewall operating at the database applicationlayer of a protocol stack. The database firewall 948 may protect thedatabase storage 956 from application attacks such as structure querylanguage (SQL) injection, database rootkits, and unauthorizedinformation disclosure.

In some implementations, the database firewall 948 may include a hostusing one or more forms of reverse proxy services to proxy trafficbefore passing it to a gateway router. The database firewall 948 mayinspect the contents of database traffic and block certain content ordatabase requests. The database firewall 948 may work on the SQLapplication level atop the TCP/IP stack, managing applications'connection to the database or SQL management interfaces as well asintercepting and enforcing packets traveling to or from a databasenetwork or application interface.

In some implementations, communication with the database storage 956 maybe conducted via the database switch 952. The multi-tenant databasestorage 956 may include more than one hardware and/or softwarecomponents for handling database queries. Accordingly, the databaseswitch 952 may direct database queries transmitted by other componentsof the on-demand database service environment (e.g., the pods 940 and944) to the correct components within the database storage 956.

In some implementations, the database storage 956 is an on-demanddatabase system shared by many different organizations. The on-demanddatabase service may employ a multi-tenant approach, a virtualizedapproach, or any other type of database approach. On-demand databaseservices are discussed in greater detail with reference to FIGS. 8A and8B.

FIG. 8B shows a system diagram further illustrating an example ofarchitectural components of an on-demand database service environment,in accordance with some implementations. The pod 944 may be used torender services to a user of the on-demand database service environment900. In some implementations, each pod may include a variety of serversand/or other systems. The pod 944 includes one or more content batchservers 964, content search servers 968, query servers 982, file servers986, access control system (ACS) servers 980, batch servers 984, and appservers 988. Also, the pod 944 includes database instances 990, quickfile systems (QFS) 992, and indexers 994. In one or moreimplementations, some or all communication between the servers in thepod 944 may be transmitted via the switch 936.

The content batch servers 964 may handle requests internal to the pod.These requests may be long-running and/or not tied to a particularcustomer. For example, the content batch servers 964 may handle requestsrelated to log mining, cleanup work, and maintenance tasks.

The content search servers 968 may provide query and indexer functions.For example, the functions provided by the content search servers 968may allow users to search through content stored in the on-demanddatabase service environment.

The file servers 986 may manage requests for information stored in thefile storage 998. The file storage 998 may store information such asdocuments, images, and basic large objects (BLOBs). By managing requestsfor information using the file servers 986, the image footprint on thedatabase may be reduced.

The query servers 982 may be used to retrieve information from one ormore file systems. For example, the query system 982 may receiverequests for information from the app servers 988 and then transmitinformation queries to the NFS 996 located outside the pod.

The pod 944 may share a database instance 990 configured as amulti-tenant environment in which different organizations share accessto the same database. Additionally, services rendered by the pod 944 maycall upon various hardware and/or software resources. In someimplementations, the ACS servers 980 may control access to data,hardware resources, or software resources.

In some implementations, the batch servers 984 may process batch jobs,which are used to run tasks at specified times. Thus, the batch servers984 may transmit instructions to other servers, such as the app servers988, to trigger the batch jobs.

In some implementations, the QFS 992 may be an open source file systemavailable from Sun Microsystems® of Santa Clara, Calif. The QFS mayserve as a rapid-access file system for storing and accessinginformation available within the pod 944. The QFS 992 may support somevolume management capabilities, allowing many disks to be groupedtogether into a file system. File system metadata can be kept on aseparate set of disks, which may be useful for streaming applicationswhere long disk seeks cannot be tolerated. Thus, the QFS system maycommunicate with one or more content search servers 968 and/or indexers994 to identify, retrieve, move, and/or update data stored in thenetwork file systems 996 and/or other storage systems.

In some implementations, one or more query servers 982 may communicatewith the NFS 996 to retrieve and/or update information stored outside ofthe pod 944. The NFS 996 may allow servers located in the pod 944 toaccess information to access files over a network in a manner similar tohow local storage is accessed.

In some implementations, queries from the query servers 922 may betransmitted to the NFS 996 via the load balancer 928, which maydistribute resource requests over various resources available in theon-demand database service environment. The NFS 996 may also communicatewith the QFS 992 to update the information stored on the NFS 996 and/orto provide information to the QFS 992 for use by servers located withinthe pod 944.

In some implementations, the pod may include one or more databaseinstances 990. The database instance 990 may transmit information to theQFS 992. When information is transmitted to the QFS, it may be availablefor use by servers within the pod 944 without using an additionaldatabase call.

In some implementations, database information may be transmitted to theindexer 994. Indexer 994 may provide an index of information availablein the database 990 and/or QFS 992. The index information may beprovided to file servers 986 and/or the QFS 992.

Some but not all of the techniques described or referenced herein areimplemented as part of or in conjunction with a social networkingdatabase system, also referred to herein as a social networking systemor as a social network. Social networking systems have become a popularway to facilitate communication among people, any of whom can berecognized as users of a social networking system. One example of asocial networking system is Chatter®, provided by salesforce.com, inc.of San Francisco, Calif. salesforce.com, inc. is a provider of socialnetworking services, CRM services and other database managementservices, any of which can be accessed and used in conjunction with thetechniques disclosed herein in some implementations. These variousservices can be provided in a cloud computing environment, for example,in the context of a multi-tenant database system. Thus, the disclosedtechniques can be implemented without having to install softwarelocally, that is, on computing devices of users interacting withservices available through the cloud. While the disclosedimplementations are often described with reference to Chatter®, thoseskilled in the art should understand that the disclosed techniques areneither limited to Chatter® nor to any other services and systemsprovided by salesforce.com, inc. and can be implemented in the contextof various other database systems and/or social networking systems suchas Facebook®, LinkedIn®, Twitter®, Google+®, Yammer® and Jive® by way ofexample only.

Some social networking systems can be implemented in various settings,including organizations. For instance, a social networking system can beimplemented to connect users within an enterprise such as a company orbusiness partnership, or a group of users within such an organization.For instance, Chatter® can be used by employee users in a division of abusiness organization to share data, communicate, and collaborate witheach other for various social purposes often involving the business ofthe organization. In the example of a multi-tenant database system, eachorganization or group within the organization can be a respective tenantof the system, as described in greater detail herein.

In some social networking systems, users can access one or more socialnetwork feeds, which include information updates presented as items orentries in the feed. Such a feed item can include a single informationupdate or a collection of individual information updates. A feed itemcan include various types of data including character-based data, audiodata, image data and/or video data. A social network feed can bedisplayed in a graphical user interface (GUI) on a display device suchas the display of a computing device as described herein. Theinformation updates can include various social network data from varioussources and can be stored in an on-demand database service environment.In some implementations, the disclosed methods, apparatus, systems, andcomputer-readable storage media may be configured or designed for use ina multi-tenant database environment.

In some implementations, a social networking system may allow a user tofollow data objects in the form of CRM records such as cases, accounts,or opportunities, in addition to following individual users and groupsof users. The “following” of a record stored in a database, as describedin greater detail herein, allows a user to track the progress of thatrecord when the user is subscribed to the record. Updates to the record,also referred to herein as changes to the record, are one type ofinformation update that can occur and be noted on a social network feedsuch as a record feed or a news feed of a user subscribed to the record.Examples of record updates include field changes in the record, updatesto the status of a record, as well as the creation of the record itself.Some records are publicly accessible, such that any user can follow therecord, while other records are private, for which appropriate securityclearance/permissions are a prerequisite to a user following the record.

Information updates can include various types of updates, which may ormay not be linked with a particular record. For example, informationupdates can be social media messages submitted by a user or canotherwise be generated in response to user actions or in response toevents. Examples of social media messages include: posts, comments,indications of a user's personal preferences such as “likes” and“dislikes”, updates to a user's status, uploaded files, anduser-submitted hyperlinks to social network data or other network datasuch as various documents and/or web pages on the Internet. Posts caninclude alpha-numeric or other character-based user inputs such aswords, phrases, statements, questions, emotional expressions, and/orsymbols. Comments generally refer to responses to posts or to otherinformation updates, such as words, phrases, statements, answers,questions, and reactionary emotional expressions and/or symbols.Multimedia data can be included in, linked with, or attached to a postor comment. For example, a post can include textual statements incombination with a JPEG image or animated image. A like or dislike canbe submitted in response to a particular post or comment. Examples ofuploaded files include presentations, documents, multimedia files, andthe like.

Users can follow a record by subscribing to the record, as mentionedabove. Users can also follow other entities such as other types of dataobjects, other users, and groups of users. Feed tracked updatesregarding such entities are one type of information update that can bereceived and included in the user's news feed. Any number of users canfollow a particular entity and thus view information updates pertainingto that entity on the users' respective news feeds. In some socialnetworks, users may follow each other by establishing connections witheach other, sometimes referred to as “friending” one another. Byestablishing such a connection, one user may be able to see informationgenerated by, generated about, or otherwise associated with anotheruser. For instance, a first user may be able to see information postedby a second user to the second user's personal social network page. Oneimplementation of such a personal social network page is a user'sprofile page, for example, in the form of a web page representing theuser's profile. In one example, when the first user is following thesecond user, the first user's news feed can receive a post from thesecond user submitted to the second user's profile feed. A user'sprofile feed is also referred to herein as the user's “wall,” which isone example of a social network feed displayed on the user's profilepage.

In some implementations, a social network feed may be specific to agroup of users of a social networking system. For instance, a group ofusers may publish a news feed. Members of the group may view and post tothis group feed in accordance with a permissions configuration for thefeed and the group. Information updates in a group context can alsoinclude changes to group status information.

In some implementations, when data such as posts or comments input fromone or more users are submitted to a social network feed for aparticular user, group, object, or other construct within a socialnetworking system, an email notification or other type of networkcommunication may be transmitted to all users following the user, group,or object in addition to the inclusion of the data as a feed item in oneor more feeds, such as a user's profile feed, a news feed, or a recordfeed. In some social networking systems, the occurrence of such anotification is limited to the first instance of a published input,which may form part of a larger conversation. For instance, anotification may be transmitted for an initial post, but not forcomments on the post. In some other implementations, a separatenotification is transmitted for each such information update.

The term “multi-tenant database system” generally refers to thosesystems in which various elements of hardware and/or software of adatabase system may be shared by one or more customers. For example, agiven application server may simultaneously process requests for a greatnumber of customers, and a given database table may store rows of datasuch as feed items for a potentially much greater number of customers.

An example of a “user profile” or “user's profile” is a database objector set of objects configured to store and maintain data about a givenuser of a social networking system and/or database system. The data caninclude general information, such as name, title, phone number, a photo,a biographical summary, and a status, e.g., text describing what theuser is currently doing. As mentioned herein, the data can includesocial media messages created by other users. Where there are multipletenants, a user is typically associated with a particular tenant. Forexample, a user could be a salesperson of a company, which is a tenantof the database system that provides a database service.

The term “record” generally refers to a data entity having fields withvalues and stored in database system. An example of a record is aninstance of a data object created by a user of the database service, forexample, in the form of a CRM record about a particular (actual orpotential) business relationship or project. The record can have a datastructure defined by the database service (a standard object) or definedby a user (custom object). For example, a record can be for a businesspartner or potential business partner (e.g., a client, vendor,distributor, etc.) of the user, and can include information describingan entire company, subsidiaries, or contacts at the company. As anotherexample, a record can be a project that the user is working on, such asan opportunity (e.g., a possible sale) with an existing partner, or aproject that the user is trying to get. In one implementation of amulti-tenant database system, each record for the tenants has a uniqueidentifier stored in a common table. A record has data fields that aredefined by the structure of the object (e.g., fields of certain datatypes and purposes). A record can also have custom fields defined by auser. A field can be another record or include links thereto, therebyproviding a parent-child relationship between the records.

The terms “social network feed” and “feed” are used interchangeablyherein and generally refer to a combination (e.g., a list) of feed itemsor entries with various types of information and data. Such feed itemscan be stored and maintained in one or more database tables, e.g., asrows in the table(s), that can be accessed to retrieve relevantinformation to be presented as part of a displayed feed. The term “feeditem” (or feed element) generally refers to an item of information,which can be presented in the feed such as a post submitted by a user.Feed items of information about a user can be presented in a user'sprofile feed of the database, while feed items of information about arecord can be presented in a record feed in the database, by way ofexample. A profile feed and a record feed are examples of differenttypes of social network feeds. A second user following a first user anda record can receive the feed items associated with the first user andthe record for display in the second user's news feed, which is anothertype of social network feed. In some implementations, the feed itemsfrom any number of followed users and records can be combined into asingle social network feed of a particular user.

As examples, a feed item can be a social media message, such as auser-generated post of text data, and a feed tracked update to a recordor profile, such as a change to a field of the record. Feed trackedupdates are described in greater detail herein. A feed can be acombination of social media messages and feed tracked updates. Socialmedia messages include text created by a user, and may include otherdata as well. Examples of social media messages include posts, userstatus updates, and comments. Social media messages can be created for auser's profile or for a record. Posts can be created by various users,potentially any user, although some restrictions can be applied. As anexample, posts can be made to a wall section of a user's profile page(which can include a number of recent posts) or a section of a recordthat includes multiple posts. The posts can be organized inchronological order when displayed in a GUI, for instance, on the user'sprofile page, as part of the user's profile feed. In contrast to a post,a user status update changes a status of a user and can be made by thatuser or an administrator. A record can also have a status, the update ofwhich can be provided by an owner of the record or other users havingsuitable write access permissions to the record. The owner can be asingle user, multiple users, or a group.

In some implementations, a comment can be made on any feed item. In someimplementations, comments are organized as a list explicitly tied to aparticular feed tracked update, post, or status update. In someimplementations, comments may not be listed in the first layer (in ahierarchal sense) of feed items, but listed as a second layer branchingfrom a particular first layer feed item.

A “feed tracked update,” also referred to herein as a “feed update,” isone type of information update and generally refers to data representingan event. A feed tracked update can include text generated by thedatabase system in response to the event, to be provided as one or morefeed items for possible inclusion in one or more feeds. In oneimplementation, the data can initially be stored, and then the databasesystem can later use the data to create text for describing the event.Both the data and/or the text can be a feed tracked update, as usedherein. In various implementations, an event can be an update of arecord and/or can be triggered by a specific action by a user. Whichactions trigger an event can be configurable. Which events have feedtracked updates created and which feed updates are sent to which userscan also be configurable. Social media messages and other types of feedupdates can be stored as a field or child object of the record. Forexample, the feed can be stored as a child object of the record.

A “group” is generally a collection of users. In some implementations,the group may be defined as users with a same or similar attribute, orby membership. In some implementations, a “group feed”, also referred toherein as a “group news feed”, includes one or more feed items about anyuser in the group. In some implementations, the group feed also includesinformation updates and other feed items that are about the group as awhole, the group's purpose, the group's description, and group recordsand other objects stored in association with the group. Threads ofinformation updates including group record updates and social mediamessages, such as posts, comments, likes, etc., can define groupconversations and change over time.

An “entity feed” or “record feed” generally refers to a feed of feeditems about a particular record in the database. Such feed items caninclude feed tracked updates about changes to the record and posts madeby users about the record. An entity feed can be composed of any type offeed item. Such a feed can be displayed on a page such as a web pageassociated with the record, e.g., a home page of the record. As usedherein, a “profile feed” or “user's profile feed” generally refers to afeed of feed items about a particular user. In one example, the feeditems for a profile feed include posts and comments that other usersmake about or send to the particular user, and status updates made bythe particular user. Such a profile feed can be displayed on a pageassociated with the particular user. In another example, feed items in aprofile feed could include posts made by the particular user and feedtracked updates initiated based on actions of the particular user.

While some of the disclosed implementations may be described withreference to a system having an application server providing a front endfor an on-demand database service capable of supporting multipletenants, the disclosed implementations are not limited to multi-tenantdatabases nor deployment on application servers. Some implementationsmay be practiced using various database architectures such as ORACLE®,DB2® by IBM and the like without departing from the scope of theimplementations claimed.

It should be understood that some of the disclosed implementations canbe embodied in the form of control logic using hardware and/or computersoftware in a modular or integrated manner. Other ways and/or methodsare possible using hardware and a combination of hardware and software.

Any of the disclosed implementations may be embodied in various types ofhardware, software, firmware, and combinations thereof. For example,some techniques disclosed herein may be implemented, at least in part,by computer-readable media that include program instructions, stateinformation, etc., for performing various services and operationsdescribed herein. Examples of program instructions include both machinecode, such as produced by a compiler, and files containing higher-levelcode that may be executed by a computing device such as a server orother data processing apparatus using an interpreter. Examples ofcomputer-readable media include, but are not limited to: magnetic mediasuch as hard disks, floppy disks, and magnetic tape; optical media suchas flash memory, compact disk (CD) or digital versatile disk (DVD);magneto-optical media; and hardware devices specially configured tostore program instructions, such as read-only memory (“ROM”) devices andrandom access memory (“RAM”) devices. A computer-readable medium may beany combination of such storage devices.

Any of the operations and techniques described in this application maybe implemented as software code to be executed by a processor using anysuitable computer language such as, for example, Java, C++ or Perlusing, for example, object-oriented techniques. The software code may bestored as a series of instructions or commands on a computer-readablemedium. Computer-readable media encoded with the software/program codemay be packaged with a compatible device or provided separately fromother devices (e.g., via Internet download). Any such computer-readablemedium may reside on or within a single computing device or an entirecomputer system, and may be among other computer-readable media within asystem or network. A computer system or computing device may include amonitor, printer, or other suitable display for providing any of theresults mentioned herein to a user. While various implementations havebeen described herein, it should be understood that they have beenpresented by way of example only, and not limitation. Thus, the breadthand scope of the present application should not be limited by any of theimplementations described herein, but should be defined only inaccordance with the following and later-submitted claims and theirequivalents.

What is claimed is:
 1. A system comprising: a processor; and a memorystoring instructions configurable to cause: obtaining a plurality ofdocuments for a web-based application, the web-based applicationcomprising one or more of a plurality of components, the plurality ofcomponents comprising one or more custom components and one or moreapplication programming interface (API) components; processing adocument object model (DOM) corresponding to the web-based application,wherein the one or more components of the web-based application aremodeled in hierarchical form; assigning each API component to a systemmode setting configured to provide the API component access to the oneor more components of the web-based application; generating one or moresecure documents for each custom component, each secure documentcomprising a key constituting an object reference of the customcomponent such that the custom component is accessible only to othercustom components capable of providing the key in accordance with one ormore rules of capability security; and assigning each custom componentto a user mode setting configured to provide the custom component accessto another component of the web-based application for which the customcomponent can provide the key.
 2. The system of claim 1, theinstructions further configurable to cause: for each custom component,restricting access to other custom components for which the customcomponent cannot provide the key.
 3. The system of claim 1, theinstructions further configurable to cause: for each API component,determining whether the API component is a private API component or apublic API component; and for each custom component, restricting accessto private API components.
 4. The system of claim 3, wherein the usermode setting is further configured to provide custom components accessto public API components.
 5. The system of claim 1, the instructionsfurther configurable to cause: assigning a component to a security modesetting different from the system mode setting and the user modesetting.
 6. The system of claim 5, wherein the security mode setting isconfigured to restrict access of the component to one or more othercomponents different from the component.
 7. The system of claim 5,wherein the security mode setting is configured to provide access of thecomponent to one or more other components different from the component.8. The system of claim 5, the instructions further configurable tocause: providing keys for all custom components to all API componentsassigned to a system mode setting; and determining, by an API componentassigned to a system mode setting, that a custom component assigned to auser mode setting can provide the key to another custom componentassigned to a user mode setting.
 9. The system of claim 1, wherein upongenerating the one or more secure documents for a custom component,access to one or more original documents associated with the customcomponent is prohibited to all components except for API components. 10.The system of claim 1, the instructions further configurable to cause:generating a stamp associated with each custom component, wherein thestamp uniquely identifies a capability security mechanism associatedwith the custom component; and determining, upon a component providing akey for another component, that the capability security mechanism of theother component is associated with the stamp for the other component.11. A system comprising: a database system implemented using a serversystem comprising one or more hardware processors, the database systemconfigurable to cause: obtaining a plurality of documents for aweb-based application, the web-based application comprising one or moreof a plurality of components, the plurality of components comprising oneor more custom components and one or more application programminginterface (API) components; processing a document object model (DOM)corresponding to the web-based application, wherein the one or morecomponents of the web-based application are modeled in hierarchicalform; assigning each API component to a system mode setting configuredto provide the API component access to the one or more components of theweb-based application; generating one or more secure documents for eachcustom component, each secure document comprising a key constituting anobject reference of the custom component such that the custom componentis accessible only to other custom components capable of providing thekey in accordance with one or more rules of capability security; andassigning each custom component to a user mode setting configured toprovide the custom component access to another component of theweb-based application for which the custom component can provide thekey.
 12. The system of claim 11, the database system furtherconfigurable to cause: for each custom component, restricting access toother custom components for which the custom component cannot providethe key.
 13. The system of claim 11, the database system furtherconfigurable to cause: for each API component, determining whether theAPI component is a private API component or a public API component; andfor each custom component, restricting access to private API components.14. The system of claim 13, wherein the user mode setting is furtherconfigured to provide custom components access to public API components.15. The system of claim 11, the database system further configurable tocause: assigning a component to a security mode setting different fromthe system mode setting and the user mode setting.
 16. The system ofclaim 11, the database system further configurable to cause: providingkeys for all custom components to all API components assigned to asystem mode setting; and determining, by an API component assigned to asystem mode setting, that a custom component assigned to a user modesetting can provide the key to another custom component assigned to auser mode setting.
 17. The system of claim 11, wherein upon generatingthe one or more secure documents for a custom component, access to oneor more original documents associated with the custom component isprohibited to all components except for API components.
 18. A computerprogram product comprising computer-readable program code capable ofbeing executed by one or more processors when retrieved from anon-transitory computer-readable medium, the program code comprisinginstructions configurable to cause: obtaining a plurality of documentsfor a web-based application, the web-based application comprising one ormore of a plurality of components, the plurality of componentscomprising one or more custom components and one or more applicationprogramming interface (API) components; processing a document objectmodel (DOM) corresponding to the web-based application, wherein the oneor more components of the web-based application are modeled inhierarchical form; assigning each API component to a system mode settingconfigured to provide the API component access to the one or morecomponents of the web-based application; generating one or more securedocuments for each custom component, each secure document comprising akey constituting an object reference of the custom component such thatthe custom component is accessible only to other custom componentscapable of providing the key in accordance with one or more rules ofcapability security; and assigning each custom component to a user modesetting configured to provide the custom component access to anothercomponent of the web-based application for which the custom componentcan provide the key.
 19. The computer program product of claim 18, theinstructions further configurable to cause: for each custom component,restricting access to other custom components for which the customcomponent cannot provide the key.
 20. The computer program product ofclaim 18, the instructions further configurable to cause: for each APIcomponent, determining whether the API component is a private APIcomponent or a public API component; and for each custom component,restricting access to private API components.